The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Privacy impact assessments code published

News release: 25 February 2014

The Information Commissioner’s Office (ICO) has published its updated privacy impact assessments code of practice to help organisations respect people’s privacy when changing the way they handle people’s information.

The code explains the privacy issues that organisations should consider when planning projects that use personal information, including the need to consult with stakeholders, identify privacy risks and address these risks in the final project plan.

With a research study carried out by the ICO last year showing that only 40% of people believe that organisations handle their information in a fair and proper way, privacy impact assessments can be an important means of retaining consumer trust by showing that organisations are working to respect people’s privacy.

ICO Head of Policy, Steve Wood, said:

“The development of projects involving the processing of large amounts of personal information is no longer the preserve of the public sector and large businesses. Today even an app developer can be developing a product in their bedroom that involves using thousands of people’s information.

“This is why we have published our updated privacy impact assessments code of practice to help organisations of all sizes ensure that the privacy risks associated with a project are identified and addressed at an early stage during a project’s development.

“The updated code is designed to ensure that privacy impact assessments fit into the project development process, allowing organisations to follow a privacy by design approach to developing new ways of using people’s information. Successfully adopting this approach can only be good for consumers and for business and can enable organisations to demonstrate their compliance with the Data Protection Act.”   

The publication of today’s code follows an external consultation carried out with stakeholders between August and November 2013. The consultation highlighted the need for the updated code to be flexible enough to be applicable to organisations of all sizes and for privacy impact assessments to fit into the existing project development process. These issues have been addressed in the updated guidance.

Organisations can find a more detailed analysis of how privacy impact assessments fit together with project management and risk management methodologies in the research project report privacy impact assessment and risk management, prepared for the ICO by Trilateral Research and Consulting.

The ICO will be working with the different industry sectors to help organisations embed privacy impact assessments into their existing practices.


If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at:

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.Our Press Office page provides more information for journalists.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection